Slashdot Mirror
50 Million Potentially Vulnerable To UPnP Flaws
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
or did they actually do active spidering of (b):
1 -- a representative sample of IP addresses in a particular space 2 -- a wide ranging probe of many many IP addresses all around the world?.
If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?
I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.
The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.
So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.
Just yesterday, lots of Slashdot readers claimed UPnP was totally reasonable for security. It's time for a wall of shame. Here is the story:
http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers
I'll start.
adolf: http://it.slashdot.org/comments.pl?sid=3415287&cid=42722879
Miamicanes: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723217
julesh: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723393
...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.
But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900
Suck it, Verizon!
If computers were people, I'd be a misanthrope.
Steve Gibson of grc.com had been warning about plug'n play since late 2001 when windows XP was on it's first release. He even offered a service to quickly turn it off and scan for it.
Of course that was back when MS claimed their software firewall on XP was enough to put your computer directly onto the internet and you could use the XP machine as a router with internet connection sharing actually working easily on it. And if doing so, the average time from fresh install to infected was about 5 minutes or so- Often before you AV could update and detect the infection. I think that rose to about 15 minutes after some updates and I lost track of what it might be now.
Anyways, the alarms have been going up for about 12 years now. I wasn't aware that routers were implementing it until recently so I'm sure I'm in the problem pile on this.
Yes, shovelware applies to hardware too. Hardware like home routers, which are NEVER EVER updated - be it by their rock-dumb owners or their irresponsible manufacturers.
And then this happens. All the time forever, until the greedy fucks who make those never-updated shit get slapped with fines for gazillions, and THEN the surviving ones would begin to think of SUPPORTING the crap they sell, instead of shoveling poorly-differentiated models that only exist to make the non-castrated one more expensive than it has any sort of right to be. But then market segmentation is worth so much more than supporting the products you sold! Why would they sell at what the product is worth (i.e. marginal production cost) when they can pretend to turn more profit by selling half-products at full price so that the complete product costs three times what it should? And when making several models by chopping out necessary things from the reference one, it gets much more complicated to support all the kinds of half-products, instead of making one that works well and is supported for long.
Also, the only company that does Just That - good productsat some price point, but no range of half-products headed by one real model (that all the shit ones are based on, minus vital features) happens to be the most profitable company in the world. Just sayin'.
Making laws based on opinions that stem up from false informations leads to witch hunts.
Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.
So don't install the Java plugin in your browser and quit bullshitting.
Does anyone know if the latest DD-WRT, OpenWRT, and Tomato releases are vulnerable?
Almost all routers are not vulnerable, if you are smart enough to uncheck the UPnP box. I haven't seen many where you can't disable it. and as has been pointed out elsewhere. Running a firewall where any malware can request a gapping hole in it sort of defeats the purpose.
These flaws are already a non-issue to anyone who takes security seriously. The problem is that the average user leaves things as they come from the factory, and they come from the factory vulnerable.
Nooo...its a solution to a VERY real problem but its a problem that most geeks don't realize exists. You see your average Joe has all these devices that can connect to the Internet, multiple PCs, tablet, phone, Internet enabled TV, but they don't have a damned clue on how to make ANY of that shit play nice with one another or to set it up so they can use them on the net as they were designed.
So UPNP was invented so Joe average wouldn't have to pay a guy like me a couple of hundred bucks to set up their network while at the same time not having the routers set to just broadcast in the clear with zero encryption and for that? it actually worked pretty well. Now we need a new generation that will be backwards compatible enough so that everyone isn't gonna have to throw out their TVs or tablets while bumping up the security.
But you can't just throw the baby out with the bathwater as folks still need a way to get all this stuff to hook up and to talk to each other without having to have a degree just to get it to work. Like it or not UPNP is a very useful tech to Joe and Jane average and as we get more and more internet capable devices they'll need plug and play simple even more.
ACs don't waste your time replying, your posts are never seen by me.
Then sleep well knowing that your insistence on continuing to use a known insecure feature just for a little bit of extra convenience might just come back to bite you in the ass eventually. The rest of us who know the flaws of UPnP and how to manually set up port forwarding and/or port triggering have likely already done this long ago; we survived, our networks aren't broken. It's really not difficult; just a couple switches on the router to match the ports of the software you use.
Upstreaming your work can save you time (money) regardless of license. You can maintain your patch set independently indefinitely, but pushing your patch upstream makes it more likely that someone else will do it for you and perhaps do it better than you. Even if your patch is trivial, sometimes a small change can inspire more work.
I once submitted a patch fixing an obscure overflow. It was a simple off-by-one flaw. Someone else scratched their head and decided to check the software for more code defects of similar nature. My simple change kick-started off around 15 more changes making my downstream project more secure and stable. I got more than my money's worth by submitting my work upstream.
It's not about someone else "stealing" your work, it's about doing less work and often getting more work done for free.
I want this account deleted.